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Abstract — Rigorous privacy mechanisms that can cope with 
dynamic data are required to encourage a wider adoption of 
large-scale monitoring and decision systems relying on end- 
user information. A promising approach to develop these 
mechanisms is to specify quantitative privacy requirements at 
design time rather than as an afterthought, and to rely on 
signal processing techniques to achieve satisfying trade-offs 
between privacy and performance specifications. This paper 
discusses, from the signal processing point of view, an event 
stream analysis problem introduced in the database and cryp- 
tography literature. A discrete-valued input signal describes the 
occurrence of events contributed by end-users, and a system is 
supposed to provide some output signal based on this informa- 
tion, while preserving the privacy of the participants. The notion 
of privacy adopted here is that of event-level differential privacy, 
which provides strong privacy guarantees and has important 
operational advantages. Several mechanisms are described to 
provide differentially private output signals while minimizing 
the impact on performance. These mechanisms demonstrate the 
benefits of leveraging system theoretic techniques to provide 
privacy guarantees for dynamic systems. 

I. Introduction 

Privacy issues associated with emerging large-scale mon- 
itoring and decision systems are receiving an increasing 
amount of attention. Indeed, privacy concerns are already 
resulting in delays or cancellations in the deployment of 
smart grids, location-based services, or civilian unmanned 
aerial systems [1]. In order to encourage the adoption of these 
systems, which can have important societal benefits, new 
mechanisms providing clear and rigorous privacy protection 
guarantees are needed. 

Unfortunately, providing such guarantees for a system 
generally involves sacrificing some level of performance. 
Evaluating the resulting trade-offs rigorously requires a 
quantitative definition of privacy, and in the last few years 
the notion of differential privacy has emerged essentially as 
a standard specification [2]. Intuitively, a system receiving 
inputs from end-users is differentially private if one cannot 
infer from its observable behavior if any specific individual 
contributed its data or not. Other quantitative notions of 
privacy have been proposed, e.g., [3], [4], but the differential 
privacy definition has important operational advantages. In 
particular, it does not require modeling the available auxiliary 
information that can be linked to the output of the system 
of interest to create privacy breaches. Moreover, it is an 
achievable privacy goal despite the fact that a database on 
which an individual has no influence could still potentially 
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leak information about her in the presence of arbitrary 
auxiliary information [2]. 

Nevertheless, differential privacy is a very strong notion of 
privacy and might require large perturbations to the published 
results of an analysis in order to hide the presence of 
individuals. This is especially true for applications where 
users continuously contribute data over time, and it is thus 
important to design advanced mechanisms that can limit 
the impact on system performance of differential privacy 
requirements. Previous work on designing differentially pri- 
vate mechanisms for the publication of time-series include 
[5], [6], but these mechanisms are not causal and hence 
not suited for real-time applications. The papers [7]-[9] 
provide real-time mechanisms to approximate a few specific 
filters transforming user-contributed input event streams into 
public output streams. For example, [7], [8] consider a 
private accumulator providing the total number of events that 
occured in the past. This paper is inspired by this scenario, 
and builds on our previous work on this problem [10, Section 
IV] [11, Section VI]. 

The rest of the paper is organized as follows. Section |LT| 
provides some technical background on differential privacy 
and describes a basic mechanism enforcing privacy by inject- 
ing white Gaussian noise. Section [TIT] describes the real-time 
event stream filtering scenario of interest. In Section |IV] we 
optimize architectures based on linear estimators to provide 
real-time private filters with reduced impact on performance. 
Section IV] attempts at leveraging the knowledge that the 
input stream takes values in a discrete set, by considering 
slightly non-linear structures based on decision-feedback 
equalization. Finally, we conclude with a brief illustrative 



example in Section VI 



II. Differential Privacy 

In this section we review the notion of differential privacy 
[12] as well as a basic mechanism that can be used to achieve 
it when the released data belongs to a finite-dimensional 
vector space. We refer the reader to the surveys by Dwork, 
e.g., [2], for additional background on differential privacy, 
and to [11] for the proofs of the results in this section. 

A. Definition 

Let us fix some probability space (f2, J 7 , P). Let D be a 
space of datasets of interest (e.g., a space of data tables, 
or a signal space). A mechanism is a map M : D X Cl — > 
R, for some measurable output space R, such that for any 
element d £ D, M(d, •) is a random variable, typically writen 
simply M(d). A mechanism can be viewed as a probabilistic 
algorithm to answer a query q, which is a map q : D — >• R. 



Next, we introduce the definition of differential privacy. 
Intuitively in the following definition, D is a space of datasets 
of interest, and we have a symmetric binary relation Adj on 
D, called adjacency, such that Adj(d, d!) if and only if d and 
d' differ by the data of a single participant. 

Definition 1: Let D be a space equipped with a symmetric 
binary relation denoted Adj, and let (R, M) be a measurable 
space. Let e, S > 0. A mechanism M : D x 17 — > R is (e, 6)- 
differentially private if for all d,d' £ D such that Adj(rf, d'), 
we have 

P(M(d) € S) < e e ¥(M (d') £ S) + S, VS e M. (1) 

If <5 = 0, the mechanism is said to be e-differentially private. 

The definition says that for two adjacent datasets, the 
distributions over the outputs of the mechanism should be 
close. The choice of the parameters e, S is set by the privacy 
policy. Typically e is taken to be a small constant, e.g., 
e m 0.5 or perhaps even lnp for some small pcN. The 
parameter 5 should be kept small as it controls the probability 
of certain significant losses of privacy, e.g., when a zero 
probability event for input d! becomes an event with positive 
probability for input d in (fTh. 

A fundamental property of the notion of differential pri- 
vacy is that no additional privacy loss can occur by simply 
manipulating an output that is differentially private. To state 
it, recall that a probability kernel between two measurable 
spaces (Ri, Mi) and (R 2 , M 2 ) is a function k : Ri x M 2 —* 
[0, 1] such that k(-, S) is measurable for each S £ M 2 and 
k(r, ■) is a probability measure for each r £ Ri, 

Theorem 1 (Resilience to post-processing): Let M\ : D X 
17 — > (Ri,.Mi) be an (e, <5)-differentially private mechanism. 
Let M2 : D x 17 — > (R 2 ,M 2 ) be another mechanism, such 
that there exists a probability kernel k : Ri x A4 2 -^ [0, 1] 
verifying 



P(M 2 (d) £ S'IMi(d)) = fc(Afi(d),5), a.s. 



(2) 



for all 5 € M 2 and d £ D. Then M 2 is (e, <5) -differentially 
private. 

Note that in d2l), the kernel k is not allowed to depend 
on the dataset d. In other words, this condition says that 
once Mi(d) is known, the distribution of M 2 (d) does not 
further depend on d. The theorem says that a mechanism 
M 2 accessing a dataset only indirectly via the output of 
a differentially private mechanism Mi cannot weaken the 
privacy guarantee. 

B. A Basic Differentially Private Mechanism 

A mechanism that throws away all the information in a 
dataset is obviously private, but not useful, and in general one 
has to trade off privacy for utility when answering specific 
queries. We recall below a basic mechanism that can be used 
to answer queries in a differentially private way. We are only 
concerned in this section with queries that return numerical 
answers, i.e., here a query is a map q : D — > R, where the 
output space R equals R k for some k > 0, is equipped with 
a norm denoted || ■ ||r, and the cr-algebra A4 on R is taken 
to be the standard Borel cr-algebra. The following quantity 



plays an important role in the design of differentially private 
mechanisms [12]. 

Definition 2: Let D be a space equipped with an adjacency 
relation Adj. The sensitivity of a query q : D — ► R is defined 

as 

A R<? : = . . m ax ... \W(d) - q(d')\\R- 



max 

d,d':Mj(d,d') 



In particular, for R 

i/p 



equipped with the p-norm ||a;|| 



f k \ l /p 

[2~2i = i \xi\ p ) , forp e [1, 00], we denote the £ p sensitivity 

by A p q. 

A differentially private mechanism proposed in [13] modi- 
fies an answer to a numerical query by adding iid zero-mean 
Gaussian noise. Recall the definition of the Q-function 



Q(x) :-- 



1 



/2tt 



2 du. 



We have the following theorem [11], [13]. 

Theorem 2: Let q : D ^ R 1 ' be a query. Then the 
Gaussian mechanism M q : D x 17 — > M. k defined by M q (d) = 
q(d) + w, with to ~ Af(0,a 2 I k ), where a > ^(K + 
y/K 2 + 2e) and K = Qr l {8), is (e, 5) -differentially private. 

For the rest of the paper, we define 

1 



KS,e 



= —{K + VK 2 + 2e) 



2c 



so that the standard deviation a in Theorem [2] can be 
written a (5, e) — K«5. e A 2 q. It can be shown that Ks, e be- 
haves roughly as 0(ln(l/ci)) 1 / 2 /e. For example, to guarantee 
(e, 6) -differential privacy with e = ln(2) and 6 = 0.05, the 
standard deviation of the Gaussian noise introduced should 
be about 2.65 times the £2 -sensitivity of q. 

Ill, Filtering Event Streams 

We now turn to the description of our scenario of interest, 
similar to the one introduced in [7], [14]. A system receives 
an input signal u = {u t }t>o with values in the discrete 
set {±|, k £ N}. Such a signal can for example record the 
number of occurrences of certain events of interest at each 
period (we centered the values around zero for convenience 
later on). Similarly to [7], [14], two signals u and v! are 
adjacent if and only if they differ at a single time by at most 
d, or equivalently 

Adj (u, v!) iff u — v! = k St , \k\ < d, for some to, (3) 

where 5 to denotes the discrete impulse at to- The motiva- 
tion for this adjacency relation is that a given individual 
contributes events to the stream at a single time only, 
and we want to preserve event-level privacy [7], that is, 
hide to some extent the presence or absence of an event 
at a particular time. This could for example prevent the 
inference of individual transactions from publicly available 
collaborative filtering outputs, as in [15]. 

Even though individual events should be hidden, we would 
like to release a filtered version Fu of the original signal, 
where F is a given causal stable linear time-invariant system. 
Note that in this paper, all signals and filter coefficients are 
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Fig. 1. Differentially private filter approximation set-up. For v to be 
differentially private, we take n to be a white Gaussian noise with variance 



[\n t \ 2 ]=d*K 2 s \\G\\ 



assumed to be real-valued, and all systems are single-input 
single-output. Privacy preserving approximations of F can 
be developed based on the following sensitivity calculation. 
Lemma 3: Let G be a linear time-invariant system with 
impulse response g := {gt}t- Then, for the adjacency relation 
(Oil on binary-valued input signals, the £ p sensitivity of G is 
A p G — d\\g\\ p . In particular for p = 2, we have A2G = 
d||G||2, where ||G||2 is the H2 norm of G. 

Proof: For two adjacent binary-valued signals u, u' ', we 
have 

\\Gu-Gu'\\ p = \\G(u-u')\\ p = d\\g*S t0 \\ p 

= d \\{gt-t }t\\ P = <%||p- 

■ 

This leads to the following theorem, generalizing Theorem 
|2]to dynamic systems. Certain technical measurability issues 
in the proof of this result are resolved in [11]. 

Theorem 4: The mechanism M(u) = Gu + n, where n 
is a Gaussian white noise with covariance cJ 2 ac^ e || G| |, is 
(e, (^-differentially private for the adjacency relation pi. 

Theorem|4]can now be combined with Theorem[TJto obtain 
a family of privacy preserving mechanisms approximating 
F, as illustrated on Fig. [TJ On that figure, the signal v is 
differentially private, and hence y as well by the resilience 
to post-processing property (TheoremfTli. Two extreme cases 
include G = id, called input perturbation, and H = id, called 
output perturbation. In general however, these two choices 
can exhibit very poor performance [10]. Throughout this 
paper, we measure the precision of specific approximations 
by the mean square error (MSE) between the published and 
desired outputs, i.e., 



1 



T lim-J>[|e t | 2 ] 



with e = y — y. The next section is devoted to the description 
of two ways of choosing the filters G, H as linear filters. 

IV. Linear Equalization Mechanisms 

A. Linear Zero-Forcing Mechanism 

We first recall a mechanism initially described in [10], 
which we call here the Linear Zero-Forcing (LZF) mecha- 
nism. Note that once the differentially private signal v = 
Gu + n is obtained, the task of estimating y from v is 



a standard estimation (or equalization) problem. The LZF 
mechanism is based on the linear zero-forcing equalization 
idea, and its main advantage is that it requires no statistical 
information about the input signal u. Let G be a stable, 
minimum phase filter (hence invertible). Let H — FG~ l . To 
guarantee (e, 8) -differential privacy, the noise n is chosen to 
be white Gaussian with variance rf 2 ^^ e || C| | § . The MSE for 
the LZF mechanism is then 



C LZF j2 2 I 

? =« ^ s\ 



G\ 



IWFG-Hl 



The best possible choice of filters G is then described in the 
following theorem [10]. 

Theorem 5: We have, for any stable, minimum phase 
system G, 

2 



i LZF > d 2 n\ 



,S 



1 

2n 



\F{e> u )\du 



This lower bound on the mean-squared error of the LZF 
mechanism is attained by letting |G(e J ")| 2 = A|F(e i ")| for 
all tj € [— 7T, 7r), where A is some arbitrary positive number. 
It can be approached arbitrarily closely by stable, rational, 
minimum phase transfer functions G. 

Note that if ^(e^)! satisfies the Paley-Wiener condition 
1 



2tt 



log| J F 1 (e JW )|da;>-c5o, 



then it has a spectral factorization ^(e- 7 ")! = c/> + (cj)c/>~(w) 
and the bound of Theorem BJ is attained by taking G with 
impulse reponse 



9k 



1 

27 



<f> + {uj)e^ k duj, k>0. 



Note also that the MSE obtained for the best LZF mechanism 
in Theorem [5] is independent of the input signal u. The 
design of H does not attempt to minimize the effect of the 
noise n, as is the case with zero-forcing equalizers [16]. The 
next section discusses another scheme that achieves a smaller 
error but requires some additional public knowledge about 
the statistics of the input signal u. 

B. LMMSE Mechanism 

The main issue with linear zero-forcing equalizers in 
communication systems is the noise amplification behavior 
at frequencies where |G(e-'")| is small, due to the inversion 
in H = FG^ 1 . However, this issue is not as problematic 
for the optimal LZF mechanism, since in this case we es- 
sentially have \H{e> u )\ = y/\F(e^)\, i.e., the amplification 
is compensated by the fact that |_F(e JW )| and |G(e Ja; )| are 
both small at the same frequencies. Nonetheless, in this 
section we explore a scheme based on minimum mean square 
equalization, which we call the Linear Minimum Mean 
Square Error (LMMSE) mechanism, and which can exhibit 
better performance than the LZF mechanism but requires 
some additional knowledge about the second order statistics 
of u. This scheme was briefly discussed in [10], but the 



optimization of G described below was not performed in 
that paper. 

Hence, assume that that it is publicly known that u is 
wide-sense stationary with know mean /j, and autocorrelation 
r u [k] = E[w t M t _fc],Vfc. Without loss of generality, we can 
then assume /i to be zero, by substracting the known mean 
of y equal to F(l)/x. The power spectral density of u is 
denoted P u , and is assumed to be rational for simplicity. 

The LMMSE mechanism is based on designing the filter 
H as a Wiener filter in order to estimate y from v. For 
tractability reasons, we derive the performance of the non- 
causal infinite impulse response Wiener filter, and optimize 
the choice of G with respect to this choice for H. Once G 
is fixed, real-time consideration issues can force us to use a 
suboptimal design with H a causal Wiener filter, or perhaps 
introducing a small delay. 

The non-causal Wiener filter H has the transfer function 



H(z) 



P v (z) ' 



where P yv is the cross power spectral density of y and v. 
Since w and u are uncorrected, we have 

P yv (z) = P u (z)F(z)G(z- 1 ). 

As for P v , we have, with n a white noise of variance a 2 — 

d 2 ^\\G\\l 

P v (z)^P u (z)G(z)G(z- 1 ) + <t 2 . 



Hence 



H(z) 



P u (z)F(z)G(z- 1 ) 
P u (z)G(z)G(z-i) + kUG\\1 



The MSE can then be expressed as 

lmmse _ 1 r Pu(en\F(en\ 2 



t 



2n 



P„(ei") |G(ei-Q|' 



duo. 



\\G\\ 



1 



(4) 



(5) 



Note that we recover the LZF mechanism in the limit 
P u {e^) »d 2 n(6,e) 2 . 

1) Privacy- Pre serving Filter Optimization: A close-to- 
optimal filter G for the LMMSE mechanism can then be 
obtained by optimization, assuming initially that the recon- 
struction is done with the non-causal Wiener filter H. We 

,i = Q...N. 



N 



discretize (pb at the set of frequencies a 
Note that all functions in the integral |5]l are even functions 
of oo, hence we can restrict out attention to the interval [0, ir}. 
We then define the N + 1 variables 



|G(e^)| 2 

1 ~ 1 1 y — ' 1 1 2 ' d " i — U ' 

•^ 2 



(6) 



and the nonnegative constants 



A = 



P u (e^)|F(e^)| 2 , t = 0, 
P u (e jUi ) 



,N 



d 2 4„ 



0,...N. 



The minimization of the error (J5]l leads to the following 
problem (using a trapezoidal approximation of the integrals) 



iV-l 



-E 



a^+i 



^ 2JV^ {3 lXi + 1 (3 l+1 x i+1 + 1 
1 N ^ 

4=0 

x t > 0, i = 0,...N. 
Note that the constraint ([8]) comes from the fact that 



(7) 



(8) 



1 r \G(e joJ )\' 



\G\ 



dui 



1 

2^ 



-IT \\G\\ 2 



du = 1. 



The optimization problem (J7| is convex, and can thus be 
solved efficiently even for fine discretizations of the interval 
[0, 7r]. The transfer function of the filter G can then be 
obtained for example by simple interpolation. 

Remark 1: Even if the statistical assumptions on u turn 
out not to be correct, the differential privacy guarantee of 
the LMMSE mechanism still holds and only its performance 
is impacted. 

2) Causal Mechanism: The previous description of the 
LMMSE mechanism involves a possibly non-causal filter H. 
Sometimes, the anti-causal part of this filter might have a fast 
decreasing impulse response, in which case the scheme can 
be implemented approximately by introducing a small delay 
in the release of the output signal y. Otherwise, we need to 
implement a causal Wiener filter H. Denoting the spectral 
factorization of P v 



Pv{z)=llQ v {z)Q v {z- l ) 1 



we then have 



H(z) 



llQv{z) 



Qjz^) 



where, for a linear filter L with impulse reponse 
{h}-oo<t<oo, [L(z)]+ denotes the causal filter with impulse 
response {^l{t>o}}t- Due to the more complex expression 
for H and the resulting MSE, the design of the optimal filter 
G in this case is left for future work. Here, we optimize 
G assuming a possibly non-causal filter H, and then simply 
modify H afterwards if causality needs to be enforced. 

V. Decision-Feedback Mechanisms 

In general, solutions to the problem of reconstructing 
the optimum maximum-likelihood estimator of {(Fu)k}k>o 
from {vk}k>o are computationally intensive and require 
the knowledge of the full joint probability distribution of 
{uk}k>o [16]. This is the main reason why simpler lin- 
ear architectures such as the one described in Section |IV] 
are more often implemented in communication receivers. 
However, so far, we have not exploited in the estimation 
procedures the knowledge that the input signal takes discrete 
values (or perhaps is even binary valued, as in [7], [8]). 
This can be done by introducing only a slight degree of 
nonlinearity, using the idea of decision-feedback equalization 



-o^H^o^ 



+ t 



Decision 



Fig. 2. Decision-feedback mechanism. The decision block is nonlinear 
and depends on the knowledge about the input signal u, acting as a 
detector/quantizer. 



[16]. We call the resulting mechanism a Decision-Feedback 
(DF) mechanism. Its architecture is depicted on Fig. [2] 

The second stage of a DF mechanism consists of a 
forward filter Hi, a nonlinear decision procedure (detector 
or quantizer) to estimate u from u, which exploits the fact 
that u takes discrete values, and a filter H2 that feeds back 
the previous symbol decisions to correct the intermediate 
estimate u. H 2 is assumed to be strictly causal, but gener- 
ally Hi is taken to be non-causal in standard equalizers, 
for better performance [17]. Hence, DF mechanisms will 
typically introduce a small delay in the publication of the 
output signal y. In the absence of detailed information about 
the distribution of u, the decision device can be a simple 
quantizer for integer valued input sequences, or a detector 
Uk = sign(ufe) for binary valued input sequences. 

DF equalizers have a long history, and approximate ex- 
pressions for their MSE can be derived [17]. For tractability 
reasons, these derivations invariably make the simplifying 
assumption that the decisions u that enter the feedback 
filter are correct, i.e., u = u. Unfortunately, it appears that 
optimizing G for the resulting approximate expression of the 
MSE is often not a good strategy, because the simplification 
results in a filter G that does not need to be adapted to 
the query F any more (only to P u ). Still, we detail this 
optimization below and discuss an alternative design strategy 
for G at the end of the section. 

The error between the desired output Fu and the signal 
Fu, where u is the input of the detector, is 



F{u 



u 



F(u- H lV + H 2 u), 



which, under the standard but simplifying assumption that 
u = u, gives 

ew F(Bu- H lV ), 

with B(z) = 1 + H 2 (z) a monic filter (since H 2 is strictly 
causal). As in section |IV-B minimizing this approximate 
error (over possibly non-causal filters) requires H\ to satisfy 



H 1 (z)=B(z 



*uv \Z ) 

Pv(z) 



P u {z)G{z~ l ) 



d^l e \\G\\l- 



P u (z)G(z)G(z~i) 
For this choice of Hi, the approximate MSE becomes 
DF 1 F Pu(e ju )\B(e^)\ 2 \F(e^ ' 



€ 



2tt 



P„(ei-) |G(ei")|2 
d 2 * 2 , \\G\\ 2 



1 



duj. (9) 



Assuming now the spectral factorizations 

Pu(en=J 2 u\Qu(en\ 2 

\F(en\ 2 = i 2 F \Q F (en\ 2 



P u (e^) |G(e^)| 2 
|G||| 



<P*L 



l=J 2 \Q(enf 



with Q, Q u and Qp canonical filters (monic, causal and 
minimum-phase), the approximate error (J9]l can be mini- 
mized by setting 

Biz) = Q{Z) 

The minimum approximate MSE is then 



i 



7 2 



lilF exp 



1 

~2^ 



(10) 



rf 2 4, 



\G\\ 2 a 



The last expression is based on a well-known formula for 
7 2 , see [18, p. 105]. Hence we see that an artifact of this 
approach is that the influence of F and G is decoupled, 
and thus the minimization of ( fT0] > over G leads to a solution 
that is independent of F, which is generally undesirable. For 
example, for u iid with P u (eP u ) = 1, optimizing (lOi gives 
the trivial solution G(e JW ) = 1, and the whole mechanism 
reduces to an input perturbation scheme with an additional 
decision stage. Nonetheless, for completeness we mention 



that optimizing ( 10 1 over the choice of G can be done using 
a discretization approach similar to the one used in Section 



IV-B.l now solving the convex optimization problem 



N-l 



— Y, MPiXi + 1) + ln(A+i^+i + 1) (1 



max „ , . 
x 2N 

i=0 

1 N ^ 

s,t 2N^2 Xl + Xl+1 = 1 

i=0 

Xi > 0, i = 0,...N. 



1) 



In view of these issues, we mention an alternative design 
strategy for DF-mechanisms. Note from (R} that the (non- 
causal) LMMSE mechanism involves a reconstruction filter 
H(z) = F(z)H u (z), with H u the LMMSE estimator for 
u. Therefore we can interpret the DF mechanism on Fig. [2] 
as introducing an additional stage to the linear mechanisms, 
to discretize the estimate of u, and replacing H u by Hi. 
A strategy to improve on the performance of the LMMSE 
(or LZF) mechanism is then to keep the same prefilter G 



designed in Section IV-B but simply replace the Wiener filter 
by a decision-feedback equalizer. Our preliminary results 
tend to confirm that good performance is achievable with 
this strategy. 

VI. Example 
Consider approximating the filter 

, . 1 + 0.995*- 1 

F{z) = 



1-0.995Z" 1 ' 



with the privacy parameters set to e = ln.3, S = 0.05. The 
(wide-sense stationary) input signal is assumed to be binary 
valued, i.e., u t G {±5} for all t, with zero mean and power 
spectral density 



Pu{z) 



3/4 



,1-5*- 



;i-§) 



Such a signal can be generated by a two-state Markov chain 
in the stationary regime, with transition probability matrix 

3/4 1/4' 
1/4 3/4 

one state corresponding to the input —1/2, and the other 
state corresponding to the input 1/2, see, e.g., [19]. In this 
context we can imagine that the transitions are generated 
by individual users, and we want to prevent an adversary 
analyzing the trace {{Fu)t]t to infer with confidence in 
which state the chain was at a particular time. 

We designed four mechanism: LZF, LMMSE with G 
optimized based on dTl), DF with G optimized based on ( 1 1 1, 
and DF with the same G as for the LMMSE mechanism. The 
DF estimators introduce a 5-period delay in the production 
of the estimate (finite impulse response equalizers were 
implemented here, based on [17]). Typical sample paths for 
these four mechanisms are shown on Fig. [3] The theoretical 
root MSE (RMSE) for the LZF and (non-causal) LMMSE 
mechanisms are 8.82 and 7.43 respectively. We see that 
the DF mechanisms significantly reduces the fluctuations in 
the produced output. Moreover, the LMMSE pre-filter G 
leads to a clearly better performance for the DF mechanism 
than the one based on (TTTJ in this case. The magnitude 
of the frequency response |G(e J ")| is shown on Fig. H 
for both filters. The cutoff of the LMMSE pre-filter occurs 
much earlier, taking into account the fact that F filters the 
high frequencies of u anyway, and this helps to reduce the 
degradation due to the privacy-preserving noise n. 

VII. Conclusions and Future Works 

In this paper, we have described several estimation tech- 
niques that can be leveraged to minimize the impact on 
performance of a differential privacy specification for the 
filtering of event streams. The architecture considered here 
for the privacy mechanisms decomposes the problem into a 
standard equalization problem, for which many alternatives 
techniques could be used, and a first-stage privacy-preserving 
filter optimization problem. Future work on differentially 
private filtering for event streams includes enforcing privacy 
in scenarios where a single end-user can generate events at 
multiple times, optimizing SIMO and MIMO architectures 
from a state-space perspective, and adaptive mechanisms that 
work in the absence of statistics for the input signals. 
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